Autocorrel I: A Neural Network Based Network Event Correlation Approach

Abstract : Network event correlation is the process where correlations between network events are discovered and reported. Network intrusion detection analysts who have capable event correlation software at their disposal are more effective because the software can give an intrusion analyst a broader view of the threats posed to their system. The event correlation information is used by a network administrator to deduce the true relationship between individual network events. The autoassociator is ideally suited to the task of network event correlation. The autoassociator is a specialized piece of neural network architecture that can be used to cluster numerically similar data instances. We use the autoassociator to build prototype software to cluster network alerts generated by a Snort intrusion detection system, and discuss how the results are significant, and how they can be applied to other types of network events.

[1]  Jim Georges,et al.  KDD'99 competition: knowledge discovery contest , 2000, SKDD.

[2]  Richard Bejtlich Interpreting Network Traffic: A Network Intrusion Detector's Look at Suspicious Events , 2000 .

[3]  Richard P. Lippmann,et al.  An introduction to computing with neural nets , 1987 .

[4]  Peter G. Neumann,et al.  Experience with EMERALD to Date , 1999, Workshop on Intrusion Detection and Network Monitoring.

[5]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[6]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[7]  Giovanni Vigna,et al.  NetSTAT: A Network-based Intrusion Detection System , 1999, J. Comput. Secur..

[8]  Nathalie Japkowicz,et al.  Supervised Versus Unsupervised Binary-Learning by Feedforward Neural Networks , 2004, Machine Learning.

[9]  Armando Freitas da Rocha,et al.  Neural Nets , 1992, Lecture Notes in Computer Science.

[10]  Tom Fawcett,et al.  ROC Graphs: Notes and Practical Considerations for Data Mining Researchers , 2003 .

[11]  Bernard Widrow,et al.  30 years of adaptive neural networks: perceptron, Madaline, and backpropagation , 1990, Proc. IEEE.

[12]  William W. Cohen Fast Effective Rule Induction , 1995, ICML.

[13]  Salvatore J. Stolfo,et al.  A Multiple Model Cost-Sensitive Approach for Intrusion Detection , 2000, ECML.

[14]  Eleazar Eskin,et al.  A GEOMETRIC FRAMEWORK FOR UNSUPERVISED ANOMALY DETECTION: DETECTING INTRUSIONS IN UNLABELED DATA , 2002 .

[15]  Peng Ning,et al.  An Intrusion Alert Correlator Based on Prerequisites of Intrusions , 2002 .

[16]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[17]  Isij Monitor,et al.  Network Intrusion Detection: An Analyst’s Handbook , 2000 .